Thanks for replying. I was a bit occupied, so I could not back soon. Going by your mail, I went through the certificate generation process again. What I found is that for some reason, the cacert.pem file(which is the certificate for the CA) shows the following -
 X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
I am attaching the steps I followed and the certificate files generated as per the tutorial
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2.

Shouldn't the above field be CA:true? Also, how do I make sure that the flag that you mentioned below gets set to "SSL server".
Thanks,
Sirisha.

On Fri, May 28, 2010 at 11:44 PM, Brett @Google <brett.maxfield@gmail.com> wrote:
On Fri, May 28, 2010 at 9:39 AM, s g <sirisha.kmb@gmail.com> wrote:

javax.naming.CommunicationException: simple bind failed: vcheung-181.lab.xxxx.net:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server]
     at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
     at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
     at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)

You probably have your certs round the wrong way. The server cert (on the ldap server)  should have 'SSL Server' usage flag the client cert (on the ldap client) should have 'SSL Client' usage flag.

The usage flags are embedded when you make the csr (certificate request) which will then usually be reflected in the generated certificate, unless your CA overrides them.

Do a "openssl x509 -in <cert file> -noout -text" to compare the two certificates.

Cheers
Brett